Infostealers targeting macOS jumped by 101% in second half of 2024

Infostealers were identified as the largest group of new macOS malware, having increased by 101% in the last two quarters of 2024, according to the Palo Alto Networks Unit42 research group.

The Unit42 research team pointed to three prevalent macOS infostealers in the wild: Poseidon, Atomic and Cthulhu.

While infostealers are often seen as limited in capability compared with trojans, the researchers said in a Feb. 4 blog post that by exfiltrating sensitive credentials, financial records and intellectual property, infostealers often lead to data breaches, financial losses and reputational damage.

“Most infostealers are indiscriminate, aiming to maximize data collection for impact and monetization,” wrote the researchers. “This broad range of information stealing capabilities exposes organizations to significant risks, including data leaks and providing initial access for further attacks, such as ransomware deployment.”

Jason Soroko, senior fellow at Sectigo, explained that these infostealer strains are exploiting AppleScript to bypass security controls and trick users into revealing credentials. Soroko said these threats mimic legitimate system prompts, making them harder to detect and contributing to a significant uptick in targeted attacks.

“Security teams must update their threat models and tighten or at least to start considering defenses,” said Soroko. “The days of considering MacOS immune to malware are over. They should restrict AppleScript permissions, bolster endpoint detection, and enforce user training to counter social engineering tactics. Routine patching, enhanced monitoring of system logs, and stricter control over application installations are critical to mitigating these growing risks.”

Jaron Bradley, director of Jamf Threat Labs, said infostealers have played a significant role in the rise of malware within the macOS ecosystem. AppleScript, while historically useful for power users, has also been widely exploited in malware, said Bradley.

“This is due to AppleScript's ability to quickly automate tasks, making it ideal for stealers,” said Bradley. “For instance, it can display a pop-up prompt asking for a password, which can then be captured and sent to the attacker in plain text. This step is essential for most stealers to access valuable credentials, and implementing it programmatically would require more effort. AppleScript is frequently relied upon for legitimate automation and developers have done great things with it, but like any useful technology, it can be a weapon when abused by an attacker.”

Eric Schwake, director of cybersecurity strategy at Salt Security, added that the significant rise in macOS infostealer detections challenges the notion that macOS is naturally more secure than other operating systems. Schwake said although Macs have long been viewed as less vulnerable to malware, malicious actors are increasingly attacking macOS users by exploiting weaknesses and user trust to access sensitive data.

“Security teams must stay alert and take a proactive stance against these dangers, understanding that no operating system is completely safe from attacks,” Schwake. “This involves educating users on phishing and social engineering, utilizing strong endpoint security measures, and routinely updating software to fix vulnerabilities.”